Connect to LAN behind mikrotik router over ipsec

pacen · November 23, 2017, 9:25am

Hello.

I am new to Mikrotik so please do not burn me to much.

I have a problem with connection to a LAN that is behind a Mikrotik router.
The connetion works betwen our HQ and the dislocated Mikrotik network over IpSec.
Example 1:

HQ(192.168.10.0/24)<==ipsec==>Mikrotik LAN(192.168.80.0/24)

This layout works.

It does not work between a another dislocated unit and the Mikrotik network.
Example 2:

Dislocated unit(192.168.9.0/24) <==ipsec==> HQ(192.168.10.0/24) <==ipsec==> Mikrotik LAN(192.168.80.0/24)

This does not work. I cannot get a connection from 192.168.9.0/24 to 192.168.80.0/24.
-We have other layouts with the exact same layout but it does not use Mikrotik and it works.

Mikrotik firewall configuration:

[admin@MikroTik] >>ip firewall filter print   
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 
 1    chain=input action=accept protocol=udp port=500 log=no log-prefix="" 
 2    chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no log-prefix="" 
 3    chain=input action=accept protocol=tcp log=no log-prefix="" 
 4    chain=output action=accept out-interface-list=all log=no log-prefix="" 
 5    chain=input action=accept log=no log-prefix="" 
 6    chain=forward action=accept log=no log-prefix="" 


[admin@MikroTik] >> ip firewall nat print   
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade log=no log-prefix="" 

 1    chain=srcnat action=accept out-interface=lte1 log=no log-prefix="" 

 2    chain=srcnat action=accept log=no log-prefix="" 

 3    chain=srcnat action=accept src-address=192.168.80.0/24 dst-address=192.168.10.0/24 log=no log-prefix="" 

 4 X  chain=srcnat action=accept src-address=10.212.134.0/24 dst-address=192.168.80.0/24 log=no log-prefix="" 

 5    chain=srcnat action=accept src-address=192.168.10.0/24 dst-address=192.168.80.0/24 log=no log-prefix=""

Mikrotik IPsec configuratin:

[admin@MikroTik] >> ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=192.168.80.0/24 src-port=any dst-address=192.168.10.0/24 dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=222.222.222.222 sa-dst-address=111.111.111.111 proposal=proposal1 priority=0 
       ph2-count=1 
       
[admin@MikroTik] >> ip ipsec peer print 
Flags: X - disabled, D - dynamic, R - responder 
 0     address=111.111.111.111/32 auth-method=pre-shared-key secret="SomeRandonPSK" generate-policy=no policy-template-group=default 
       exchange-mode=main send-initial-contact=no nat-traversal=yes proposal-check=claim hash-algorithm=sha1 enc-algorithm=3des 
       dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
       
 [admin@MikroTik] >> ip ipsec proposal print 
Flags: X - disabled, * - default 
 0 X* name="default" auth-algorithms=sha512 enc-algorithms=aes-192-cbc,des lifetime=1h pfs-group=modp1024 

 1    name="proposal1" auth-algorithms=sha1 enc-algorithms=3des lifetime=1h pfs-group=none

Any help would be apreciated.

Best regards

F1le · November 25, 2017, 5:03pm

And from 80 to 9 you can get the response?

blajah · November 25, 2017, 7:33pm

Show us routing tables on both sides. I assume your routers do not know where are remote neworks, so they are sending traffic via default routes.

pacen · January 19, 2018, 10:03am

Hello,

sorry for the long time to reply. Things were crazy

Here is my routing table on my Mikrotik:

[admin@MikroTik] > ip route print     
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        		PREF-SRC        	GATEWAY            	DISTANCE
 0 ADS  0.0.0.0/0                          			222.222.222.223         1
 1 ADC  222.222.222.222/30		222.222.222.224   	lte1                    0
 2 ADC  192.168.80.0/24    		192.168.80.1    	bridge                  0

Maybe the distance of route no. 1 should be 0, but the GUI does not let me enter a zero.

Best regards

acruhl · January 19, 2018, 1:40pm

+1

Start simple. You’re assuming this might be ipsec but there’s no proof that routing is working. Has it ever worked?

What you showed us doesn’t line up with your original example, so we don’t know what router this is. Not only that, we need to see routes on all routers.

Start with that. Do traceroutes to see where packets are going, if anywhere.

This setup looks too complicated to me, but I might be missing something. I do transport mode ipsec between public IP addresses then route over GRE tunnels. It’s very simple and clean, much less to go wrong. It’s just simple IP routing.